Web Components

Principles of Computer Security:CompTIA Security+® and Beyond, Second Edition

© 2010

Web Components

Chapter 17


© 2010

Objectives• Describe the functioning of the SSL/TLS protocol suite.• Explain web applications, plug-ins, and associated

security issues.• Describe secure file transfer options.• Explain directory usage for data retrieval.• Explain scripting and other Internet functions that

present security concerns.• Use cookies to maintain parameters between web

pages.• Examine web-based application security issues.


© 2010

Key Terms• Active Server Pages (ASP)• ActiveX• ASP.NET• Authenticode• Buffer overflow• Code signing• Common Gateway Interface (CGI)• Common Vulnerabilities and Exposures (CVE)


© 2010

Key Terms (continued)• Common Weakness Enumerations (CWE)• Cookies• File Transfer Protocol (FTP)• Hypertext Markup Language (HTML)• Inlining• Internet Engineering Task Force (IETF)• Java• JavaScript


© 2010

Key Terms (continued)• Lightweight Directory Access Protocol (LDAP)• PHP• Plug-ins• Secure Sockets Layer (SSL)• Server-side scripting• Transport Layer Security (TLS)• Uniform Resource Locator (URL)• X.500


© 2010

Current Web Components and Concerns

• Security concerns can be grouped into three main tasks:• Securing a server that delivers content to users over

the Web.• Securing the transport of information between users

and servers over the Web.• Securing the user’s computer from attack over a web

connection.


© 2010

Web Protocols• Common protocols used on the Web:

• Encryption (SSL and TLS)• The Web (HTTP and HTTPS)• Directory Services (DAP and LDAP)• File Transfer (FTP and SFTP)


© 2010

Encryption (SSL and TLS)• Secure Sockets Layer (SSL) is a general-purpose protocol

developed by Netscape for managing the encryption of information being transmitted over the Internet.

• Transport Layer Security (TLS) SSL and TLS are essentially the same, although not interchangeable.

• Cryptographic methods are an ever-evolving field, and because both parties must agree on an implementation method, SSL/TLS has embraced an open, extensible, and adaptable method to allow flexibility and strength.

•


© 2010

IE 8 Security Options


© 2010

Encryption (SSL and TLS)Firefox SSL Security

Options


© 2010

Encryption (SSL and TLS)Firefox SSL Cipher

Options


© 2010

SSL/TLS Handshake


© 2010

How SSL/TLS WorksIE 8 Certificate Management Options


© 2010

IE 8 Certificate Store


© 2010

Firefox Certificate Options


© 2010

Firefox Certificate Store


© 2010

SSL/TLS Attacks• SSL/TLS is specifically designed to

provide protection from man-in-the middle attacks.

• A Trojan program that copies keystrokes and echoes them to another TCP/IP address in parallel with the intended communication can defeat SSL/TLS.


© 2010

The Web (HTTP and HTTPS)• HTTP is used for the transfer of

hyperlinked data over the Internet, from web servers to browsers.

• When a secure connection is needed, SSL/TLS is used and appears in the address as https://.


© 2010

The Web (HTTP and HTTPS) (continued)

• High-assurance notification in IE 7

• High-assurance notification in Firefox


© 2010

Directory Services (DAP and LDAP)• A directory is designed and optimized for

reading data, offering very fast search and retrieval operations.

• LDAP offers all of the functionality most directories need and is easier and more economical to implement.


© 2010

SSL/TLS LDAP• SSL/TLS provides several important

functions to LDAP services:• Establish the identity of a data source

through the use of certificates.• Provide for the integrity and confidentiality of

the data being presented.


© 2010

File Transfer (FTP and SFTP)• FTP is a standard network protocol used

to exchange and manipulate files over a TCP/IP based network.

• Secure FTP (SFTP) is used when confidential transfer is required and combines both the Secure Shell (SSH) protocol and FTP.


© 2010

Vulnerabilities• Because SSL is enabled does not mean

the user is safe.• Key loggers can record what is being

typed on a user’s computer before it is encrypted.

• A company’s database can get hacked releasing your information to the world.


© 2010

Code-based Vulnerabilities


© 2010

Buffer Overflows• The buffer overflow vulnerability is a

result of poor coding practices on the part of software programmers.

• This occurs when an application can accept more input than it has assigned storage space, and the input data overwrites other program areas.


© 2010

Java• Java is a computer language invented by Sun

Microsystems as an alternative to Microsoft’s development languages.

• Designed to be platform-independent• Java offered a low learning curve and a way of

implementing programs across an enterprise. • Although platform independence never fully

materialized, Java has found itself to be a leader in object-oriented programming languages.

• Java can still perform malicious activities, and the fact that many users falsely believe it is safe increases its usefulness for attackers.


© 2010

JavaScript• JavaScript is a scripting language developed to be

operated within a browser instance. • The primary purpose is to enable features such as

validation of forms.• Enterprising programmers found many other uses for

JavaScript, such as manipulating the browser history files, now prohibited by design.

• JavaScript actually runs within the browser, and the code is executed by the browser itself.

• This has led to compatibility problems.


© 2010

Java and JavaScript Java Configuration Settings in Microsoft

Internet Explorer 7


© 2010

Java and JavaScript Security Setting Functionality Issues


© 2010

ActiveX• ActiveX is a broad collection of application

programming interfaces (APIs), protocols, and programs developed by Microsoft.– Used to download and execute code automatically

over an Internet-based channel.– Can enable a browser to display a custom type of

information in a particular way.– Can perform complex tasks, such as update the

operating system and application programs.


© 2010

ActiveX (continued)

ActiveX Security Settings in IE 8


© 2010

Securing the Browser• Added features means weaker security.• No browser is 100 percent safe.• Currently Firefox coupled with the NoScript

plug-in provides good protection.– The NoScript plug-in allows the user to determine

from which domains to trust scripts.


© 2010

CGI & Server-Side Scripts

• Common Gateway Interface (CGI) is a method for having a web server execute a program outside the web server process, yet on the same server.

• Server-side scripting allows programs to be run outside the web server and to return data to the web server to be served to end users via a web page. This is replacing CGI.


© 2010

Cookies• Cookies are small chunks of ASCII text

passed within an HTTP stream to store data temporarily in a web browser instance.

• It a series of name-value pairs that is stored in memory during a browser instance.– Expires– Domain– Path– Secure


© 2010

Cookies (continued)Firefox Cookie Management


© 2010

Cookies (continued) Microsoft Internet Explorer 7 Cookie

Management


© 2010

Cookies (continued)• Microsoft Internet Explorer 7 Cookie Store


© 2010

Signed Applets• The ability to use a certificate to sign an

applet allows the identity of the author to be established.

• A signed applet can be hijacked as easily as a graphic or any other file.

• Inlining is using an embedded control from another site with or without the other site’s permission.


© 2010

Browser Plug-ins• Plug-ins are small application programs that

increase a browser’s ability to handle new data types and add new functionality.

• Dynamic data such as movies and music can be manipulated by a wide variety of plug-ins, and one of the most popular comes from Real Networks.


© 2010

Browser Plug-ins (continued) Add-ons for IE 8


© 2010

Open Vulnerability and Assessment Language (OVAL)

• OVAL comprises two main elements: an XML-based machine-readable language for describing vulnerabilities, and a repository.

• Common Vulnerabilities and Exposures (CVE) is a system that provides a reference-method for publicly known information-security vulnerabilities and exposures.


© 2010

Web 2.0 and Security• The foundations of security apply the

same way in Web 2.0 as they do elsewhere.

• With more capability and greater complexity comes a greater need for strong foundational security efforts.


© 2010

Chapter Summary• Describe the functioning of the SSL/TLS protocol suite.• Explain web applications, plug-ins, and associated

security issues.• Describe secure file transfer options.• Explain directory usage for data retrieval.• Explain scripting and other Internet functions that

present security concerns.• Use cookies to maintain parameters between web

pages.• Examine web-based application security issues.

Web Components

Documents

web pages

web connection

web servers

web applications

web componentschapter

tlsthe web http

current web components

web protocolscommon